search

NuGet / Home

Repo for NuGet Client issues
Other
1.49k stars 252 forks source link

[Client policy] An error NU3034 “Package 'Microsoft.Web.Infrastructure 1.0.0.0' from source 'https://api.nuget.org/v3/index.json': This package is signed but not by a trusted signer.” occurs when installing “Microsoft.AspNet.Mvc” package in PM UI #13349

Open CiciLi1 opened 5 months ago

CiciLi1 commented 5 months ago

NuGet Product Used

Visual Studio Package Management UI

Product Version

NuGet Client Dev\6.10.0.82

Worked before?

It doesn’t repro on VS Main\34426.11 + NuGet Client Dev\6.9.0.67.

Impact

It's more difficult to complete my work

Repro Steps & Context

Repro Steps:    

  1. Patch dotnet SDK: Patch dotnet SDK.

  2. Add NuGet.exe path into System variables and create a package with command "nuget pack .csproj" for testing.  

  3. Create a project, add required mode in nuget.config file with trusted signers list:

  1. Reload the solution, select package source "NuGet.org", install the package "Microsoft.AspNet.Mvc" with version 5.3.0 into the project in PM UI or CLI (cd to project and "nuget install Microsoft.AspNet.Mvc -version 5.3.0").

Expected:    

Verify there was no error and the package was installed in the project successfully.

Actual:       

The package failed to install with error NU3034 “Package 'Microsoft.Web.Infrastructure 1.0.0.0' from source 'https://api.nuget.org/v3/index.json': This package is signed but not by a trusted signer.” as below: Unbenannt

Notes:   

  1. The repro rate is 100%. 

  2. It also reproes on these two test cases

536740 Client policy test: Install/Restore with trusted signers and package reposigned with trusted repository(3 types of projects:PC/PR/Legacy PR

536741 Client policy test: Install/Restore with trusted signers and package reposigned with trusted repository and with owner matching one in trusted repository entry(3 types of projects:PC/PR/Legacy PR))

  1. The root cause analysis: the package “Microsoft.AspNet.Mvc” is dependent on “Microsoft.Web.Infrastructure” which is not a trusted package.

(We verified the package “Microsoft.Web.Infrastructure 1.0.0.0” with the command

nuget.exe verify -all -verbosity detailed microsoft.web.infrastructure.1.0.0.nupkg, the result shows as below) Unbenannt

Verbose Logs

No response

nkolev92 commented 5 months ago

@CiciLi1

Can you please check whether https://devblogs.microsoft.com/nuget/the-nuget-org-repository-signing-certificate-will-be-updated-as-soon-as-april-8th-2024/ or https://github.com/NuGet/docs.microsoft.com-nuget/commit/bb9d25cc90e2a55c3cda4ea8b79d404f855cfdcf are of any help.

CiciLi1 commented 5 months ago

@CiciLi1

Can you please check whether https://devblogs.microsoft.com/nuget/the-nuget-org-repository-signing-certificate-will-be-updated-as-soon-as-april-8th-2024/ or NuGet/docs.microsoft.com-nuget@bb9d25c are of any help.

Hi @nkolev92, I checked the link you provided, which talks about repository signed certificates, but this issue is about author signed certificates.

nkolev92 commented 5 months ago

Thanks to your analysis, I see that Microsoft.Web.Infrastructure 1.0.0 is a package that was published in 2011, so it's expected that it doesn't have an author signature.

To me this looks like a bug has been fixed, rather than a new introduced bug. I'm not sure what the root cause for that may be.

SueSu01 commented 3 weeks ago

It still reproes on VS Main\35222.175 + NuGet Client Dev\6.12.0.82.